Principles of Processing Customer Data

Effective 01 September 2024

LHV values all of its Clients and respects its Clients’ right to privacy and the protection of their (personal) data.

LHV collects and uses Client Data in order to provide services to its Clients and to improve its services and business processes in line with Client needs.

LHV’s Principles for Processing Client Data (hereinafter the Principles) provide a comprehensive overview of the purposes for which LHV processes Client Data and how, what Clients’ rights are, and how they can exercise these rights.

In addition to these Principles, LHV may also disclose additional information about the Processing of Client Data in service-specific privacy notices, contract terms or other documents related to services or products, as well as on the LHV website (e.g. Terms and Conditions for the Use of Cookies). The Principles apply to the extent that they do not conflict with the terms and conditions of contracts and other information referred to above.

  1. Definitions used in the Principles

    A Client is a natural person who uses, has used or has expressed a wish to use a service provided by LHV or who is otherwise connected to LHV or a service provided by LHV (e.g. a legal or authorised representative of a Client, an insured person or beneficiary under an insurance contract, an heir, provider of surety or other guarantor, a private individual connected with a business Client, a user of an LHV website, a participant in an LHV financial portal forum or a visitor of a Client service office). The Client is subject to all the rights of the data subject as set out in the legislation governing the Processing of Personal Data.
    A Business Client is a legal person who uses, has used or has expressed a wish to use a service provided by LHV or who is otherwise connected with LHV or an LHV service (e.g. guarantor, provider of surety).
    Personal Data is any kind of information on an identified or identifiable natural person.
    Client Data is any information, including information that can be considered a banking secret, which has become known to LHV about a Client or a Business Client.
    Banking Secret is all information and assessments that have become known to AS LHV Pank about its or another credit institution’s Clients and Business Clients.
    Processing is any operation or set of operations, whether automated or not, that is performed on Client Data or on sets of Client Data, such as collection, storage, adaptation and alteration, retention, disclosure and transmission thereof.
    A Third Party is any natural or legal person who is not a Client, a business Client, LHV, an LHV authorised processor or a person who may process Client Data on behalf of LHV or an LHV processor.
    LHV is AS LHV Group and AS LHV Group owns the following undertakings: AS LHV Pank, AS LHV Finance, AS LHV Varahaldus and AS LHV Kindlustus (hereinafter referred to as LHV Pank, LHV Finance, LHV Varahaldus and LHV Kindlustus, respectively).
    LHV Group companies are the undertakings belonging to the AS LHV Group. A list of the undertakings belonging to the Group is available on LHV’s website.
    In addition to the definitions set out above, the Principles also use the definitions set out in the General Data Protection Regulation (EU 2016/679) (hereinafter GDPR).

  2. General provisions

    LHV processes Client Data in accordance with the GDPR, the Personal Data Protection Act, European Union and national legislation regulating financial services, as well as the prevention of money laundering and terrorist financing, and other relevant legislation and guidelines of supervisory authorities.

    The controller of Personal Data is the LHV Group company that determines the purposes and means of the Processing of Personal Data. For example, LHV Pank is the data controller for banking services, LHV Finance for LHV hire-purchase services, LHV Kindlustus for insurance services, and LHV Varahaldus for LHV pension funds.

    LHV Group companies may also act as joint controllers in the Processing of Personal Data. In such a case, the purposes and means of the Processing of Personal Data shall be determined jointly by the respective LHV Group companies. For example, LHV Pank and LHV Bank Limited are co-responsible processors for the Processing of Personal Data relating to Banking Services Clients. LHV Pank, LHV Finance, LHV Varahaldus and LHV Kindlustus are the co-responsible processors of the Personal Data that the Client discloses when creating a user account in the LHV user environment (internet banking and mobile app).

    LHV may involve processors who process Personal Data on behalf of LHV. LHV shall ensure that the authorised processors process Personal Data only to the extent specified by LHV and in accordance with LHV’s instructions. An LHV Group company may also be an authorised processor.

    LHV implements appropriate technical and organisational measures to ensure the lawfulness, confidentiality, and security of Client Data and the Processing thereof.

  3. Sources of Client Data

    LHV adheres to the principle of minimal Processing of Client Data, i.e. LHV only collects and processes Client Data that is necessary to achieve the purpose of the Processing.

    LHV collects Client Data from various sources:

    • from Clients – e.g. data disclosed by Clients when applying for or using the service, data disclosed in Client communications, data related to the use of LHV Internet Bank or mobile account by Clients;
    • from persons related to Clients – e.g. information disclosed by Client’s representatives about the Client in their applications, information disclosed by policyholders about insured persons and/or beneficiaries in their insurance applications;
    • from LHV’s partners and persons involved in the provision of services to Clients. LHV may receive such data if the Client has given prior consent to the cooperation partner or if LHV has a legitimate interest in receiving the data. LHV may receive the data mainly in the course of providing the service, e.g. upon using payment services, SK ID Solutions transfers authentication data, including IP address, to LHV;
    • public databases and private registers – e.g. the Commercial Register, the Population Register, the Land Register, the Central Register of Securities, the KMAIS information system, the Register of Taxpayers, the Register of Motor Insurance, the Register of Buildings, the Register of Pensions, the Official Gazette, the payment default registers managed by AS Creditinfo Estonia and OÜ Krediidiregister;
    • other sources – e.g. from correspondent banks, foreign investment brokers, payment and other financial service providers, insurance providers and insurance intermediaries;
    • from LHV Group companies.

    Client Data may also be the result of Processing by LHV – e.g. user profiles, Client segments, data obtained through analytics and conclusions drawn from analytics-based automated decisions about the Client’s potential preferences and interests.

  4. Categories of Personal Data

    LHV mainly processes the following types of Personal Data:

    CATEGORIES OF PERSONAL DATAEXAMPLES
    Personal Data, including identification dataName, personal identification number, date of birth, place of birth, age, nationality, identity document details, facial image, national background details, residence permit details, signature, Client’s video identification data
    Contact datae-mail address, postal address, telephone, language of communication
    Tax residence datatax residence, tax identification number, i.e. TIN-code
    Right of representation datadetails of the represented person’s birth certificate, details of appointment as guardian, information on the restriction of legal capacity, data regarding the power of attorney
    Third party relationship datarelations with politically exposed persons, relations with successors, relations with other parties involved in the provision of services (e.g. payment counterparty, sureties, owners of collateral assets, insured persons and beneficiaries)
    Payment account datapayment transaction data, incl. time of transaction, payment amounts, payment details, account balance, account number, payment counterparties, limits, card transaction data and data on ATM transactions, purpose of account opening, accounts with other banks, data on payments contested, recalled and cancelled, data on payment account operations (e.g. seizures)
    Deposit datadeposited amount, deposit period, customer orders and operations with deposits
    Family datamarital status, number of dependants
    Professional activity dataposition, place of work, field of activity, educational background, level of education, employer, length of service, experience in the field
    Debt datadebt amount, debt period, fines for delay, data on debt elimination, data on underlying agreement, payment default data, incl. time of occurrence and elimination of the payment default
    Financial dataincoming payments forecast, income, commitments, assets, collateral, previous payment behaviour, transactions effected, agreements concluded and terminated, requests submitted, applications submitted, interests and service fees, breaches of agreement, data on credit decisions, downpayment amount
    Asset origin dataorigin of money, source of funds on the account, documents on transactions on the payment account
    KredEx surety datastudy programme, educational institution, duration of the programme, employer's certificate data, data on certificates verifying the status of a veteran of the Defence Forces of Estonia or the National Defence League.
    Collateral datatype of collateral, value of the collateral, description of and technical data on the collateral, location of the collateral, possessor of the collateral
    Data on the Customer's knowledge and experienceinvestment-related knowledge and experience, investment objective, knowledge of financial instruments, previous experience in financial instruments, investment-related occupation, work experience in the financial sector, planned duration of investment, risk level
    Securities-related datasecurities transactions, securities orders, securities data, transaction value, amount, volume, LEI code, securities portfolio data, margin loan collateral data, virtual portfolio data, suspicious securities transactions and the data related to such transactions
    Alternative investment dataname of investment, amount, purchase price, generated revenue (interest, principal payments), available funds, profit, value
    Client habits, preferences and satisfaction dataClient status, Client segment, activity in the use of services, services and products used, Client inquiries and complaints, posts made at the LHV Financial Portal
    Data on official inquiriesdata related to inquiries submitted by investigation authorities, notaries, tax authorities, bailiffs, courts, data on claims (e.g., attachment orders)
    Data on participation in campaignsprizes won in investment games and other consumer games, participation in LHV campaigns and other LHV consumer games, points collected during campaigns, the alias used for the game, game portfolio data
    Pension datapension fund data, Client’s pension fund data, pension fund value, applications submitted, pension forecast, retirement age forecast, additional years of pensionable service, pension fund contributions and disbursements, average yield expected by Client, years of pensionable service, insurance component data
    Client device datatype of device, device identifier, IP address, location, browser details, cookie usage information
    Tax dataincome based on the income tax return (except for income generated from transfer of assets and taxes paid thereof); payments declared by employer based on TSD; benefits for incapacity for work, unemployment insurance benefits and redundancy benefits, pensions, contributions to the 3rd pension pillar, data on the funded pension based on TSD; dividends and equity-based payments; tax arrears starting from EUR 100
    Bank card datatype of card, term of validity, card status, card number
    Charity organisation datathe name of the charity chosen by the Client, the amount(s) to be donated
    Data on recordingsvideo recordings, phone call recordings, ATM photos
    Data on offencesdata on offences committed, criminal punishment, data on suspicion of offence
    Insurance datainsurance coverage, insured object, insurance period, insurance payment amount, insurance contracts concluded and applications submitted
    Insured event datadescription of the event, time and place of the event, cause of damage, person(s) damaged, photos and documents on the damaged object, type and amount of indemnity
    Data concerning healthdescription of injuries and diseases, description and duration of treatment, diagnoses
    Fund unit datainvestment fund, number of units, data on acquisition, redemption and disposal of units
    Alternative investment data (including crypto assets)crypto asset transactions, crypto asset orders, crypto assets data, crypto transactions value, amount, volume, crypto assets portfolio data
    Book borrowing databooks borrowed, borrowing date, return date, fines for delay

  5. Purposes of and legal basis for the Processing of Personal Data

    LHV processes Personal Data both for the performance of legal obligations arising from legislation (national and European Union legislation), for the performance of a contract concluded with a Client or in preparation for a conclusion of a contract (e.g. to process an application submitted by a Client), on the basis of the Client’s consent and in the legitimate interests of LHV or third parties. On the basis of legitimate interest, LHV will process Personal Data only if it has assessed in advance that the Processing of the Personal Data will not unduly infringe on the rights of the Client.

    LHV’s legitimate interests are expressed primarily in the promotion of LHV’s business and the development of products and services with the aim of offering better products and services to its Clients, ensuring data and information security, risk management, as well as the protection of its rights in the event of legal disputes.

    LHV processes Personal Data mainly for the following purposes and on the following legal grounds:

    PURPOSES OF DATA PROCESSINGCATEGORIES OF PERSONAL DATALEGAL BASIS FOR PROCESSING
    IdentificationPersonal datalegal obligation arising from the Money Laundering and Terrorist Financing Prevention Act;
    legitimate interest in identifying the customer and hedging risks
    Verification of the identity document, right of representation and accuracy of dataPersonal data
    Right of representation data    		Legal obligation arising from the Money Laundering and Terrorist Financing Prevention Act; legitimate interest in verifying the accuracy of data submitted by the Client, and hedging risks; conclusion of contract
    Application of due diligence measures and monitoring of the business relationshipPersonal data
    Contact data
    Right of representation data
    Third party relationship data
    Payment account data
    Professional activity data
    Asset origin data
    Securities-related data
    Data on official inquiries
    Data on offences
    Customer device data
    Data on recordings    		legal obligation arising from the Money Laundering and Terrorist Financing Prevention Act and public interest
    Collection and reporting of tax informationPersonal data
    Tax residence data
    Contact data
    Payment account data
    Securities-related data
    Deposit data    		legal obligation arising from the Tax Information Exchange Act
    Succession-related actsPersonal data
    Payment account data
    Securities-related data
    Debt data
    Contact data
    Deposit data
    Fund unit data
    Pension data
    Third party relationship data    		performance of the agreement;
    legal obligation arising from the Funded Pensions Act
    Engagement of depositsDeposit data
    Personal data    		Conclusion and/or performance of the agreement
    Customer relationship management, fulfilment of the Customer notification requirementContact datalegal obligations arising from various legal acts (e.g. Securities Market Act, Law of Obligations Act);
    legitimate interest in customer relationship management
    performance of the agreement
    Direct marketing, organisation of campaigns, feedbackContact data
    Personal data
    Data on participation in campaigns
    Debt data
    Customer habits, preferences and satisfaction data    		consent;
    legitimate interest in the sale of products and services;
    legitimate interest in telephone sales;
    legitimate interest in the use of debt data for responsible marketing of credit products
    Provision of credit services (disbursement of loans, credit decisions, verification of the KredEx surety conditions, making indicative offers)Personal data
    Contact data
    Financial data
    KredEx surety data
    Collateral data
    Third party relationship data    		conclusion and/or performance of contract
    Assessment of the Client’s creditworthiness and credit risk managementPersonal data
    Family data
    Professional activity data
    Financial data
    Data on offences
    Debt data
    Payment account data
    Collateral data Pension data
    Third party relationship data
    Asset origin data
    Tax data
    Securities-related data    		legal obligation arising from the Creditors and Credit Intermediaries Act and the Law of Obligations Act, and legitimate interest in organising risk management and hedging credit risk
    consent to the use of tax data
    Appraisal of collateral assetsPersonal data
    Collateral data    		legal obligation arising from the Creditors and Credit Intermediaries Act and the Credit Institutions Act
    Provision of investment services (execution and transmission of securities orders, enabling access to Baltic analyses, elimination of margin loan positions, pledging of securities, borrowing securities from the Customer, administration of the investment account, enabling use of the virtual portfolio, enabling a more favourable tax rate for US securities transactions, provision of portfolio management services)Personal data
    Securities-related data
    Contact data
    Family data
    Data on recordings    		conclusion and/or performance of the agreement;
    legal obligation arising from the Securities Market Act and other legislation
    Assessment of suitability and appropriateness in the provision of securities services to the CustomerPersonal data
    Data on the Customer's knowledge and experience
    Professional activity data
    Financial data
    Securities-related data    		legal obligation arising from the Securities Market Act and the Commission Delegated Regulation (EU) 2017/565
    Transaction monitoring with regard to characteristics of market abuse and reporting of suspicious transactionsPersonal data
    Securities-related data
    Professional activity data
    Payment account data    		legal obligation arising from Regulation (EU) No 596/2014 of the European Parliament and of the Council (market abuse regulation)
    Performance of the account administrator function (subscription of securities, cancellations, interest disbursement, acceptance of pension applications, acceptance of funded pension disbursement applications, exchange of information with the central register of securities)Personal data
    Contact data
    Securities data
    Pension data    		legal obligation arising from the Securities Register Maintenance Act, Securities Market Act and Funded Pensions Act
    Provision of the digital pension solution servicePersonal data
    Contact data
    Pension data    		conclusion and/or performance of contract
    Provision of specific pension forecasts for users of the digital pension solution servicePersonal data
    Family data
    Professional activity data
    Pension data    		consent
    Display of alternative investments in the internet bankPersonal data
    Alternative investment data    		consent
    Enabling the use of the Trader demo version Personal data
    Contact data    		consent
    Organisation of seminarsPersonal data
    Contact data    		consent;
    legitimate interest in forwarding seminar materials and inviting previous participants to partake in new seminars
    Provision of payment services (acceptance of payment orders, execution and transmission of payment orders, cash deposits and cash withdrawals, ordering of cards, payment recalls and cancellations, contesting of card transactions, ordering of e-invoices, enabling access to mTasku, enabling card payments, transfer of settlement services, enabling use of the virtual ISIC card, enabling use of proxy payments, provision of the payment initiation service)Personal data
    Contact data
    Payment account data
    Professional activity data
    Bank card data    		agreement;
    legal obligation arising from legal acts (e.g. Law of Obligations Act, Regulation (EU) 2015/847 of the European Parliament and of the Council
    Identification and investigation of tax fraud; ensuring information securityPersonal data
    Payment account data
    Customer device data    		legal obligations arising from various legal acts (e.g. Commission Delegated Regulation (EU) 2018/389, guidelines of the Financial Supervision Authority);
    legitimate interest in ensuring information security and hedging risks
    Enabling use of services provided by payment service providers (e.g. account information services, payment initiation services)Personal data
    Payment account data    		legal obligation arising from the Law of Obligations Act and the Commission Delegated Regulation (EU) 2018/389
    Enabling use of charity optionsPersonal data
    Charity organisation data
    Payment account data    		conclusion and/or performance of the agreement;
    transmission of data (personal identification code, donation amount) to the chosen charity organisation – the charity organisation's legitimate interest in applying the tax incentive
    Borrowing of booksPersonal data
    Contact data
    Book borrowing data    		conclusion and/or performance of contract
    Enabling use of Financial PortalPersonal data
    Contact data    		conclusion and/or performance of contract
    Protection of the property of Customers, staff members and LHVData on recordingslegitimate interest in protecting property and ensuring physical security
    Debt managementPersonal data
    Contact data
    Debt data
    Collateral data    		legitimate interest in organisation of debt management and ensuring protection of our rights
    Account seizure, response to inquiries and transmission of payment account informationPersonal data
    Payment account data
    Data on official inquiries    		fulfilment of legal obligations arising from various legal acts (e.g. Money Laundering and Terrorist Financing Prevention Act, Code of Enforcement Procedure)
    Management of the fund unit register, organisation of redemption and issue of fund unitsPersonal data
    Contact data
    Fund unit data    		legal obligation arising from various legal acts (e.g. Investment Funds Act, Funded Pensions Act)
    Provision of management company servicesPersonal data
    Contact data
    Fund unit data    		conclusion and/or performance of contract
    Provision of insurance services (insurance offers, provision of customer support, provision of insurance services, conclusion of contracts and issue of insurance policies, payment of insurance indemnities)Personal data
    Contact data
    Insurance data
    Bank card data
    Data on recordings    		conclusion and/or performance of contract
    Ascertaining insurable interestPersonal data
    Insurance data
    Data on recordings    		legal obligation arising from the Law of Obligations Act, Insurance Activities Act
    Determining the amount of the insurance premiumInsurance data
    Data on offences
    Personal data    		conclusion and/or performance of contract;
    legitimate interest in organisation of risk management and risk hedging
    Loss adjustment, including recording of loss events, decision-makingPersonal data
    Contact data
    Insurance data
    Insured event data
    Data concerning health
    Third party relationship data
    Data on recordings    		performance of the agreement;
    health data are processed by LHV Kindlustus for the purposes of the performance of the contract in accordance with subsection 218 (2) of the Insurance Activities Act.
    Submission of information on motor TPL insurance to the Motor TPL insurance registryPersonal data
    Insurance data
    Insurance event data    		legal obligation arising from the Motor Insurance Act and the statute of the motor insurance register

    In addition to the above purposes, LHV also processes Personal Data for the following purposes:

    • administering the Client relationship, inspecting and, if necessary, correcting or supplementing the data submitted by the Client and enabling access to products and services. Processing takes place for performing the contract or adopting measures prior to conclusion of the contract, as well as based on legitimate interest in managing the Client base, improving the services provided to Clients, including eliminating technical malfunctions. Among other things, the data of recordings are processed for the aforementioned purposes;
    • exercising of LHV’s rights in connection with legal requirements, substantiation and defence of rights in court or extra-judicially. Processing takes place on the basis of LHV’s legitimate interest, with the purpose of ensuring protection against legal disputes. Among other things, the data of recordings are processed for the aforementioned purposes;
    • hedging of risks and risk management, e.g. to evaluate or inspect the credit portfolio or collateral assets of LHV, or to prepare audits, stress tests or analyses that partially or completely cover the activities of LHV. Processing takes place for performance of the legal obligation set forth in Regulation 575/2013 of the European Parliament and of the Council and on the basis of LHV’s legitimate interest for the purpose of organising risk management;
    • ensuring physical security and data and information security, and carrying out internal control activities. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest for the purpose of organising risk management;
    • Processing of Client complaints. Processing is carried out in order to comply with a legal obligation laid down in various pieces of legislation, including the Securities Markets Act, the Creditors and Intermediaries Act, the Credit Institutions Act and the instructions issued by the Financial Supervision Authority. Among other things, the data of recordings are processed for the aforementioned purposes;
    • conducting consumer surveys, studying consumer habits. Processing is based on LHV’s legitimate interest in obtaining Client feedback and evaluating Client satisfaction with the services and products offered by LHV and thereby developing existing and new products and services;
    • for satisfying the burden of proof in the case of potential disputes, LHV may also collect information concerning receipt of letters sent out containing obligatory contents (e.g. letter recipient, time of sending, information on delivery of letter). Processing takes place on the basis of LHV’s legitimate interest, with the purpose of ensuring protection against legal disputes;
    • the use of cookies and the relevant data Processing is governed by the terms and conditions for use of cookies, published on LHV’s website.

  6. Profile analysis and automated decision-making

    Profiling is the automated Processing of Personal Data used by LHV to assess certain personal characteristics of a Client, in particular to analyse or predict a person's economic situation, their personal preferences, interests, and behaviour.

    For example, LHV uses profiling for direct marketing purposes to make personalised offers to Clients, for risk assessment purposes to comply with the requirements of the Money Laundering Prevention and Terrorist Financing Act, for fraud checks on transactions, for insurance risk assessment, and for assessing the suitability and appropriateness of certain securities services. Automated decisions are also used by LHV to assess the probability of default and to make certain credit decisions (e.g. home loan, credit card). Such Processing of Personal Data is carried out either on the basis of LHV’s legitimate interest (e.g. direct marketing), for the performance of legal obligations, including those arising from the Prevention of Money Laundering and Terrorist Financing Act, the Securities Markets Act and Delegated Regulation (EU) 2017/565 of the European Commission and Regulation (EU) No 575/2013 of the European Parliament and of the Council, or on the basis of the Client's consent.

    Preparation of profile analysis and automated decisions help LHV to provide services to Clients in a more efficient way and to prevent potential errors. For such Processing, incl. when creating segments or profiles, LHV does not gather separate data on the Client and only uses the data which is available on the Client or which LHV has to gather on the Client based on legal requirements or for risk management (such as payment default, information on penalties, international sanctions and other negative information known to LHV).

    The Client has the right to request a manual review of the decision based on automated Processing by LHV employee(s).

  7. Processing of data relating to Business Clients

    LHV processes data relating to Business Clients for the purposes of fulfilling its legal obligations, concluding and performing contracts and communicating with Business Clients.

    Protection of Business Client Data is regulated by relevant legislation. For instance, LHV Pank’s Business Client Data is protected by bank secrecy.

    LHV complies with the legal requirements when Processing Business Client Data and discloses Business Client Data to third parties only to the extent necessary to fulfil the purpose of the disclosure.

    Although the GDPR does not apply to Business Clients, it does apply to natural persons connected with the Business Client, such as the Business Client’s representatives, members of management bodies, shareholders, partners, beneficial owners, etc.

    During the assessment of the creditworthiness of a Business Client, LHV also processes Personal Data of the following persons related to the Business Client: Member of the Management Board, including Chairman of the Management Board, a shareholder or a shareholder whose shareholding exceeds 5%, a trustee authorised to represent the company. In order to assess whether it is possible to offer a financing service to a Business Client, LHV processes, on the basis of its legitimate interest, data relating to the aforementioned persons, in particular data relating to their payment delays, tax debts, and official notifications.

    LHV processes the data of Business Clients and persons associated with Business Clients, inter alia, for the purposes of preventing money laundering and terrorist financing and complying with sanctions. For this purpose, LHV collects, updates and stores the data of Business Client representatives, shareholders, and beneficial owners.

  8. Processing of personal data for sales and marketing purposes

    LHV wants to offer its Clients and Business Clients products and services that meet their needs, interests and wishes. For this purpose, LHV processes Client Data for the purposes of Client segmentation and profiling, the preparation and delivery of marketing offers, the provision of relevant news and other information and the organisation of campaigns.

    Each LHV Group company may, on the basis of its legitimate interest, make both personalised and general offers to its Clients, using the data available about the Client. If the Client also wishes to receive offers from other LHV Group companies, they can consent to the sharing of their Personal Data between LHV Group companies for the purposes of personalised and general offers, as well as for receiving news.

    LHV will send marketing offers to the Client via the communication channel preferred by the Client. In the LHV user environment (including in Internet Banking and Mobile Banking apps), offers may be communicated to Clients on the basis of LHV’s legitimate interest.

    LHV processes Personal Data automatically for the purposes of compiling a Client profile analysis and making corresponding offers, as well as for calculating personal loan, leasing or insurance limits. Examples of data processed by LHV include Personal Data, contact data, family data, data on the products and services used by the Client, data on offers made to the Client, information on the service and communication channels previously and currently used by the Client, financial data, Client account data, including data on receipts and transactions made, information on the Client’s debts. Profiling analyses are also used to make offers to Clients related to relevant Client programmes.

    LHV may also forward offers from partners related to LHV products or services to its Clients. LHV does not share the data of its Clients with its partners for the purpose of making such offers.

    Clients have the right to object at any time to the Processing of Personal Data for marketing purposes or to withdraw consent to the Processing of their Personal Data. a Client can modify, including withdraw, his/her consent either via Internet Banking, mobile banking, by contacting LHV Client support by e-mail or phone or by visiting a bank office of LHV. Similarly, when receiving an electronic marketing offer, Clients always have the option to opt out of future offers by using the unsubscribe button.

  9. Disclosure of Client Data

    LHV has the right to disclose Client Data to other persons who may be both recipients and processors. Disclosure of Client Data is deemed to be the transmission or otherwise making available of Client Data to other persons.

    The recipient to whom LHV discloses Client Data may be a natural or legal person, a public sector body, an agency or any other body that processes Client Data as an independent controller. The data processor processes Client Data on behalf of and under the instructions of LHV.

    LHV discloses Client Data in particular to the following persons:

    • other LHV Group companies that may process Client Data, for example, for the purposes of Client or business Client identification, updating of Client Data, assessment of expertise, risk management and mitigation, compliance with prudential requirements, including capital and liquidity requirements, assessment of creditworthiness. Client Data is disclosed either to comply with a legal obligation (e.g. risk management, identification), on the basis of a legitimate interest (e.g. to ensure data quality when updating Client Data) or on the basis of the Client’s (including business Client’s) consent;
    • persons and organisations involved in the provision of services and in the performance of a contract with a Client or a business Client (e.g. sureties, co-borrowers, guarantors, owners of collateral, insured persons and beneficiaries, heirs, merchants, international card organisations, payment intermediaries and other payment service providers, bank card centre Nets Estonia AS, insurance providers and intermediaries, e-invoice issuers, credit intermediaries and credit agents, central securities registry, pledge holders, correspondent banks, investment service providers, clearing systems, notaries, translation, communication, IT and postal service providers, MTÜ Federation of Estonian Student Unions, Lithuanian Central Bank as the registrar of nominal payments, bank card cooperation partners). Client Data (e.g. contract data, Personal Data, payment account data, securities data, bank card data, insurance data, insured event data) are transferred for the purpose of the performance of a contract with a Client, as well as for the purposes of the legitimate interest of third parties (e.g. transfer of due diligence data following a request from a correspondent bank);
    • the keepers of payment default registers (AS Creditinfo Eesti and OÜ Krediidiregister), to which LHV discloses information on the basis of LHV’s own legitimate interest and on the basis of the legitimate interest of third parties, in order to enable third parties to assess the Client’s payment behaviour and creditworthiness. The information to be disclosed includes, among other things, information on the Client’s or business Client’s contractual debt of at least EUR 30 and overdue of payment by at least 45 days. Disclosure of Client Data to a payment default register is in accordance with § 10 of the Personal Data Protection Act;
    • Society for Worldwide Interbank Financial Telecommunication (SWIFT; www.swift.com). SWIFT data Processing centres are located in European Union Member States and the United States of America. Consequently, the data on bank transactions, including the Personal Data of the payer and the payee, shall be processed in the Processing centres of EU Member States or the USA, regardless of the place where the transfer is initiated; Upon execution of bank transactions, the bank involved in the transaction, the payment intermediary or SWIFT may be obliged to disclose the transaction data and the related data on the Client to the competent authority in the country of residence in the cases provided by the laws of the particular country;
    • service providers to whom LHV has subcontracted its activities (e.g. sales and trading companies in relation to the sale and identification of LHV service products, other LHV companies in relation to the marketing of pension products, account management, server and cloud services, email services, providers of monitoring tools, ATM operators, payment fraud detection partners, e-invoicing partners, claims handling partners, Client support partners, archiving service providers, debt and leasing collection partners). These persons act as LHV authorised processors;
    • LHV consultants or other service providers (e.g. auditors, lawyers). Client Data will be disclosed to these persons for the purpose of providing services to LHV, including representing LHV in litigation, providing legal advice, providing auditing services. The legal basis for the Processing of data is the legitimate interest of LHV.
    • new creditors upon assignment of the right of claim. Client Data to be disclosed includes the underlying contract data and debt data. The legal basis for the disclosure of Client Data is LHV’s legitimate interest in managing credit risk and the fulfilment of its obligations under the Credit Unions and Credit Purchasers Act;
    • other third parties with the consent of the Client or business Client.

    LHV is obliged to publish and disclose Client Data for fulfilment of the obligations imposed by legal acts and international and mutual legal assistance agreements (e.g. disclosure of data to investigation authorities, notaries, trustees in bankruptcy, Tax and Customs Board, Financial Intelligence Unit, Financial Supervision Authority, Motor Insurance Bureau, Funded Pension Registry).

  10. Forwarding Personal Data outside the European Economic Area

    As a general rule at LHV, Personal Data belonging to Clients are not sent outside the European Economic Area. However, if this is done, then before any data is sent, the background of the Third Party is verified thoroughly, and measures are applied to ensure secure data transmission including, if possible, measures to accord equivalent protection to Personal Data with those which exist in the European Economic Area.

    When disclosing the Personal Data of a Client located outside the European Economic Area, LHV applies appropriate safeguards, such as transferring the data to a country for which the European Commission has adopted a decision on the adequacy of the level of data protection and the use of standard data protection clauses developed by the Commission.

    In the absence of appropriate safeguards, LHV has the right to disclose Personal Data outside the European Economic Area in situations where disclosure is necessary, for example, to perform a contract between the Client and LHV or to implement measures taken at the Client’s request (e.g. use of foreign brokers to provide investment services, use of correspondent banks to make foreign payments).

    When an international bank transaction involves a financial institution located in a country with an insufficient level of data protection, e.g. a correspondent bank or another payment intermediary, incl. SWIFT, LHV cannot ensure that the data processors of financial institutions located in such countries are subjected to obligations similar to those established for LHV, and that the Client is provided with rights equal to those established for data Processing in the EEA or other countries with a sufficient level of data protection.

    For more information on the transfer of Personal Data outside the European Economic Area, the Client may contact LHV.

  11. Retention of Client Data

    LHV will not process Client Data for longer than is necessary to fulfil the purposes for which the Client Data is being processed, including the obligation to retain Personal Data as provided by law and to protect the rights of LHV to settle a dispute arising out of a contract with a Client or to resolve a potential dispute.

    LHV generally retains Client Data until the expiry of the limitation period for any claims arising from the Client relationship (up to a maximum of 15 years from the end of the Client relationship), unless there is a direct legal obligation to retain Client Data for a different period.

  12. A Client’s rights in connection with Processing of their data

    The Client has the right:

    • to receive information on whether LHV will process their Personal Data and if it does process the data, the right to receive a copy of their Personal Data and to demand corrections to their Personal Data if the changes have been made to the data or the data are otherwise inaccurate. The Client has the opportunity to see their Personal Data, e.g. at the bank office of LHV and via Internet bank. The Client’s right to see their Personal Data may be limited by legal acts, other persons’ rights to their privacy and LHV’s rights (e.g. protection of business secrets);
    • to withdraw the consent given to LHV to process their Personal Data. Once the consent is withdrawn, LHV will no longer process the Client’s Personal Data for the purposes for which it was being processed on the basis of the Client’s consent;
    • to object to the Processing of their Personal Data, including profiling, by LHV, if LHV processes the data on the basis of its legitimate interest. In this case, LHV is not entitled to further process the Client’s Data, unless the interests of LHV outweigh the possible infringement of the Client's rights (e.g. to comply with general legal obligations);
    • to obtain more information about LHV's legitimate interests with regard to data Processing if LHV processes Personal Data on the basis of legitimate interest;
    • request the cessation of the Processing of their data if the Processing of their Personal Data is unlawful, i.e. LHV has no legal basis for Processing the data;
    • request the deletion of their Personal Data, for example, if LHV does not have the right to process such data or if LHV processes Personal Data on the basis of the Client's consent and the Client withdraws their consent. Erasure cannot be requested when or to the extent that LHV has the right or the obligation to process, including store, the Personal Data (e.g. to comply with a legal obligation, to perform a contract, to pursue a legitimate interest);
    • request restriction of the Processing of their Personal Data, e.g. at a time when LHV is assessing whether the Client has the right to have their Personal Data deleted;
    • receive their Personal Data which they have provided to LHV and which is processed on the basis of consent or for the performance of a contract, electronically in a commonly used machine-readable format and, where technically feasible, to transmit such data to another service provider;
    • the Client can exercise their rights by contacting LHV using the contact details referred to in clause 13. LHV will respond to the claim without undue delay, but no later than one month from the date of receipt of the claim. If it is necessary to clarify the facts, request clarifications or carry out checks before responding to a request, LHV may extend the deadline for responding by informing the Client in advance.

  13. Protection of the Client’s rights

    AS LHV Pank, AS LHV Finance, AS LHV Varahaldus, AS LHV Kindlustus and AS LHV Group are responsible for Processing Client Data. LHV’s contact details are available on the website of LHV at www.lhv.ee.

    Clients may contact LHV in relation to the exercise of their rights. Clients and Business Clients may lodge complaints about the Processing of their data.

    LHV Group companies can be contacted at the address Tartu mnt 2, 10145 Tallinn, e-mail info@lhv.ee, telephone 6 800 400.

    To exercise their rights, Clients may also contact LHV’s Data Protection Specialist at Tartu mnt 2, 10145 Tallinn, e-mail compliance@lhv.ee.

    Clients may at any time seek redress from the Data Protection Inspectorate (website: www.aki.ee) or from the competent court in order to defend their infringed rights.

  14. Amendment and application of the Principles

    LHV Group companies shall have the right to unilaterally amend the Principles in accordance with the valid legislation at any time.

    LHV will notify the Clients of any changes to the Principles on the website www.lhv.ee and/or by means of communication agreed with the Client at least 1 (one) month before the changes enter into force, unless the Principles are changed solely as a result of changes to legislation and/or to comply with legal requirements or the changes do not affect the Processing of Personal Data of existing Clients (e.g. when a new product is launched).

    The Principles shall be applied to the Processing of all Client Data, as well as to Client Relationships established prior to the entry into force of the Principles.